(2008-12-13) CLM 2007 And W2K8 Certificate Services Now Supported Together

CLM 2007 is the Certificate and Smart Card Management component of ILM 2007 (FP1). It performs the role of a registration authority against one or more Windows Server Enterprise CAs. On each of the CAs that are used through CLM, a policy and exit module must be installed and configured. These CLM modules communicate both with the CLM Server, the SQL Server and control the handling of certificates at the CA.

Initially, CLM 2007 only supports Windows Server 2003 Enterprise CAs and not Windows Server 2008 Enterprise CAs. It is not possible to install the mentioned policy and exit modules, or even CLM 2007 itself, on a Windows Server 2008 computer.

However, Microsoft released a hotfix to make CLM 2007 fully compatible with Windows Server 2008 computers. That means CLM 2007 can be installed on Windows Server 2008 (and officially supported) if required and/or the policy and exit modules can be installed on a Windows Server 2008 based CA. Both apply for the 32-bit architecture only. If you are interested in using CLM on the 64-bit architecture you must wait until ILM "2" has been released.

The hotfix is MS-KBQ946797_A hotfix rollup package (build 3.3.1087.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1. Wait, don’t go and get it yet! Keep reading! Through this KB article it is possible to request the required hotfix by using the "View and request hotfix downloads" option at the beginning of the KB article. However, the hotfix that can be requested through the KB article only applies to CLM 2007 on Windows Server 2003. It does not help you if you want to install CLM 2007 on Windows Server 2008. For that part (the W2K8 compatibility solution) Microsoft does not provide a hotfix, but rather it provides new Windows Server 2008 fully compatible CLM 2007 installation. To get those new installation binaries you need to call Microsoft PSS, reference the KB article and specifically mention you need the Windows Server 2008 compatible installation binaries of CLM 2007 (issue 5 – see KB article). So, again: not the hotfix, but the installation binaries! I have been there and I know. ;-))

In addition to the new installation binaries you still need a valid license with a product key. If you do not have a product key you are entitled to evaluate CLM 2007 for 180 days.

So, this is a nice story about installing CLM 2007 on Windows Server 2008. But what is really behind it and why is it so important? First of all, it makes CLM 2007 compatible with Windows Server 2008 and secondly you will be able to leverage a Windows Server 2008 based CA with CLM 2007. For organizations it can make a big difference whether you are using Windows Server 2003 Enterprise CAs or Windows Server 2008 Enterprise CAs. Windows Server 2003 CAs lack the capability of achieving high availability through clustering technologies. In Windows Server 2008 it is possible to cluster the Certificate Services and this is, amongst others, a big improvement! And that’s why this is very important. To understand the importance of having highly available Enterprise issuing CAs, it is therefore important to understand the unavailability scenarios that can occur with Windows Server CAs. The following scenarios apply:

AD.1: The consequences of this scenario are generally not catastrophic in the sense that problems arise singularly. It is possible to deploy multiple Enterprise issuing CA servers to overcome situations where a single Enterprise issuing CA server fails as this can help maintain an issuing capability. However, there is always an affinity between an issued certificate and the Enterprise CA that issued the certificate. For instance, whichever Enterprise CA issued a certificate would need to be available to perform a revocation or renewal of that certificate or to recover archived private keys.

AD.2: The consequences of this scenario can be quite dramatic, potentially resulting in smart card logon (amongst others) failing throughout the entire environment for those users that are using smart card logon certificates issued by the Enterprise CA that has failed or has become unavailable for whatever reason. This occurs if a fresh CRL is not published in a timely manner by the Enterprise CA that provided the smart card logon certificates. Measures do exist, that can be taken to mitigate against the disaster scenario presented here, such as manual re-signing of stale CRLs (see: CA Maintenance – CRL Re-Sign, also seefrom the command line CERTUTIL -sign -?) and/or registry settings on domain controllers that allow smart card logon certificate validation with stale CRLs (see: MS-KBQ887578_You receive a "Logon failure" message when you use a smart card on a Windows Server 2003-based computer).